Context
Stage: Runtime / Ops
Tool: falco
Parent: (see container security parent issue)
Why falco
falco is the only CNCF-graduated eBPF/syscall runtime security tool:
- Monitors every syscall made by every container in the cluster in real time
- Detects runtime threats that static analysis cannot see: unexpected shell spawns inside containers, privilege escalation attempts, unexpected network connections, reads from
/etc/shadow, writes to /proc, unexpected process execution
- eBPF driver runs in kernel space — zero container modification, no sidecar injection
- 200+ default detection rules aligned to MITRE ATT&CK container tactics
- Integrates with Wazuh (Step 9) via falcosidekick → forwards alerts to SIEM for correlation
Static scanners (trivy, grype, hadolint) detect known vulnerabilities and misconfigurations at build time. falco detects exploitation of those vulnerabilities and novel attacks at runtime.
GitHub Actions workflow scope
The Runtime/Ops context does not run as a PR gate — falco operates as always-on cluster infrastructure. The GitHub Actions workflows in this issue cover:
- Lint and validate falco rules on PRs that modify
.falco/ or falco-rules/ — catches YAML syntax errors and unknown fields before deployment
- Deploy / update falco via the falco Helm chart on merge to
main (deployment workflow)
falco-rules-lint.yml — PR gate
name: Falco Rules Lint
on:
workflow_call:
inputs:
rules-dir:
description: 'Directory containing custom falco rules files'
default: '.falco'
type: string
Uses falco --validate (dry-run) to parse custom rules files and report errors without needing a running kernel driver.
falco-deploy.yml — deployment workflow
name: Falco Deploy
on:
workflow_call:
inputs:
cluster-name:
description: 'EKS cluster name'
required: true
type: string
falco-chart-version:
description: 'falco Helm chart version to deploy'
default: '4.x'
type: string
rules-dir:
description: 'Directory containing custom falco rules to include'
default: '.falco'
type: string
Deploys or upgrades falco via helm upgrade --install, mounting custom rules from the consuming repo's .falco/ directory as a ConfigMap.
Consuming repo usage
# .github/workflows/falco-deploy.yml
name: Deploy Falco
on:
push:
branches: [main]
paths:
- '.falco/**'
- 'infrastructure/falco/**'
jobs:
deploy:
uses: sparkgeo/github-actions/.github/workflows/falco-deploy.yml@main
with:
cluster-name: prescient-prod
falco-chart-version: '4.x'
rules-dir: .falco
Falco + Wazuh integration (cross-ref Step 9)
Configure falcosidekick to forward falco alerts to the Wazuh SIEM:
# falcosidekick values (in consuming repo's falco Helm values)
falcosidekick:
enabled: true
config:
webhook:
address: "http://wazuh-manager:55000/falco"
This integrates falco runtime alerts with the SIEM correlation rules in Step 9, enabling detection of:
- Container escape attempts (syscall anomalies → Wazuh alert)
- Unexpected outbound connections from containers (NDR cross-ref Step 13)
- Privilege escalation inside containers (IAM cross-ref Step 21)
Key detection categories
| Category |
Example falco rule |
MITRE ATT&CK |
| Shell in container |
spawned_process inside a non-shell image |
T1059 |
| Privilege escalation |
setuid binary execution |
T1548 |
| Credential access |
Read from /etc/shadow or /root/.aws |
T1552 |
| Exfiltration |
Unexpected outbound connection on non-standard port |
T1041 |
| Persistence |
Write to /etc/cron.d from container |
T1053 |
Context
Stage: Runtime / Ops
Tool:
falcoParent: (see container security parent issue)
Why falco
falcois the only CNCF-graduated eBPF/syscall runtime security tool:/etc/shadow, writes to/proc, unexpected process executionStatic scanners (trivy, grype, hadolint) detect known vulnerabilities and misconfigurations at build time.
falcodetects exploitation of those vulnerabilities and novel attacks at runtime.GitHub Actions workflow scope
The Runtime/Ops context does not run as a PR gate — falco operates as always-on cluster infrastructure. The GitHub Actions workflows in this issue cover:
.falco/orfalco-rules/— catches YAML syntax errors and unknown fields before deploymentmain(deployment workflow)falco-rules-lint.yml— PR gateUses
falco --validate(dry-run) to parse custom rules files and report errors without needing a running kernel driver.falco-deploy.yml— deployment workflowDeploys or upgrades falco via
helm upgrade --install, mounting custom rules from the consuming repo's.falco/directory as a ConfigMap.Consuming repo usage
Falco + Wazuh integration (cross-ref Step 9)
Configure
falcosidekickto forward falco alerts to the Wazuh SIEM:This integrates falco runtime alerts with the SIEM correlation rules in Step 9, enabling detection of:
Key detection categories
spawned_processinside a non-shell imagesetuidbinary execution/etc/shadowor/root/.aws/etc/cron.dfrom container